By
Swift
can’t do it alone.
The
Society for Worldwide Interbank Financial Telecommunication, an organization
that enables money transfers worldwide, has come under fire after a rash of bank hackings -- some of
which bear fingerprints of nation-states including North
Korea. In response, it announced this week a series of new measures aimed at protecting the global financial system
from cybercrime.
These
steps can’t hurt. They’ll probably help. But the more urgent security problem
rests with the banks, not with the messaging system they use.
The
story began in February, when Bangladesh’s central bank fell victim to
an $81 million heist. Hackers used the Swift network to access the
bank’s account at the Federal Reserve Bank of New York and transfer funds to
accounts in the Philippines, from which they vanished. Similar breaches have
happened at banks in Vietnam and Ecuador, and possibly elsewhere.
Troubling
as the heists may be, it’s important to put a few things in perspective. While
$81 million is nothing to sniff at, it’s small in comparison to the hundreds of
billions of dollars in transfers that the system facilitates every day. What’s
more, Swift itself did not fail, any more than a telephone fails if somebody
uses it to commit fraud. The network passes messages among banks, which then
move money on their own. Hackers were able to impersonate the banks thanks
to weaknesses in the systems they used to connect to
Swift. This gave the hackers access only to the compromised banks’ funds, not
to the funds of the thousands of other institutions that use Swift.
Nevertheless,
the breaches are a big deal for an organization founded on trust: For the
system to work smoothly, banks must be able to assume that the messages they
receive are legitimate. To that end, Swift has wisely offered to take on more
responsibility for the security practices of its members. It plans, for example, to toughen software requirements,
expand the use of two-factor authentication (which provides an added
identity check), monitor compliance more rigorously, and facilitate sharing of
fraud-detection know-how.
Ultimately,
though, Swift can only do so much. The network is fast and efficient because
it's neutral and passive -- a feature that any major effort to police some
11,000 member institutions could impair. The real solution must come where the
failure happened: at the banks. If institutions in developing nations
somehow prove unable to defend against state-sponsored attacks, some
assistance from the developed world might be in order. That said, keeping
their money safe is something banks themselves should have the
resources and expertise to do.
To contact the senior editor responsible for Bloomberg View’s editorials: David Shipley at davidshipley@bloomberg.net.
No comments:
Post a Comment